Xen project Mailing List

Re: [PATCH] x86: Expose more MSR_ARCH_CAPS to hwdom

To: Jason Andryuk <jandryuk@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>

Date: Tue, 19 Jul 2022 20:29:02 +0000

Accept-language: en-GB, en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dfd9Qg21koYFJWiBMBhFrh7igxUgJod9k0RsrkbG4TE=; b=kCmHvHFJIE20xjLfjBHqFVUBy/awlBmoFNq05an4neULizG7T026PNBRVdRe6m64Fys+bs1PRNWAetn3afMTbwpJV0BmNtD3jDNFCJ0R+V5zvCg00xnmvxt/qZKZrTOoW5qUjRJ32OYIPCp2BZCZcoEd44PE0bu3X0Fi29diPZ0P+TZ1Ecq+OyqkZo0FbYAv6R/dSCjsG9QfR8ktQjXwI6b7TQRfRjVzJRBvARoZvIR/Tta5iUsB2MdP1V1CXkuysdMJ/OtQvKwoSPrq9A4hV6KGbAyYCRw+UjWh3+j2+SPgOUyeoLs22s/Hx9iZfGrJD7bI01qbipomwZQ/w8kYIQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NKtnHlgKYWGyTCrBwIF8d+l92oRf5aNc4VFDBmvlGyqI/jQYINDWxSYik6dj/09gwlIatiJ84aDIoLiLkOMNbLujsbviaAqvDtlYohtlE7B51FvTa8dmIVGp3fbEpIGNPWw7OHLUGa58FRrC1PSSbjmSUhlXGki0hjnXytuwaeV0FSi+goLYv+5xptRrZdUr4BSoeARJrIHyAru2Q2kJDj5dhgzMgDTnzwrtKF0NChonHu1p0EnGxQl5dWYOFGcVjNgQMY+5cQS5tl8TUY+uLR90XWGBABDzSmm/76T8I39Nvzx82jOpwktLJ4etwtoHaFLEMmTusFxducOu0C21zw==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>

Delivery-date: Tue, 19 Jul 2022 20:29:21 +0000

Ironport-data: A9a23:5wc4h6/9+I8Qd4wqzk5YDrUDtX+TJUtcMsCJ2f8bNWPcYEJGY0x3m GIdDDzVP/6KZ2T1KNtwbYW2oRtU6JOBx9RqTVBsqSw8E34SpcT7XtnIdU2Y0wF+jyHgoOCLy +1EN7Es+ehtFie0Si+Fa+Sn9z8kvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYctitWia++3k YqaT/b3ZRn0gVaYDkpOs/jZ8Ew27ayp0N8llgdWic5j7Qe2e0Y9VPrzFYnpR1PkT49dGPKNR uqr5NlVKUuAon/Bovv8+lrKWhViroz6ZGBiuVIPM0SWuTBQpzRa70oOHKF0hXG7Kdm+t4sZJ N1l7fRcQOqyV0HGsLx1vxJwS0mSMUDakVNuzLfWXcG7liX7n3XQL/pGVhgLOYoC3OFNIUJX0 /YFBiodfzuhvrfjqF67YrEEasULCuDOZdpakFcwiDbTALAhXIzJRLjM6ZlAxjAsi8tSHPHYI c0EdT5oaxeGaBpKUrsVIMtmwKH02T+iI3sB9gP9SakfugA/yCRY1rT3PcWTUduNXchPxW6Tp 37c/nS/CRYfXDCa4WXVrS703LCV9c/9cJ0sJbKg+fxOuWGC4WwfOC0IX3GEhebs3yZSXPoac ST44BEGr6E0+Fa6U9rVUBixoXrCtRkZM/JAHut/5AyTx6785weCGnNCXjNHcMYhtsI9WXotz FDht9HjCCFrsbaVYWmA7brSpjS3UQAKKUcSaClCShEKi+QPu6k2hxPLC9xlQKi8i4SsHSmqm m7b6i8jm78UkMgHkb2h+kzKiC6toZ6PSRMp4gLQXSSu6QYRiJOZWrFEIGPztZ5oRLt1hHHa1 JTYs6ByNNwzMKw=

Ironport-hdrordr: A9a23:fp1UH6mcZ0O4Apl83G57Hs9xuKTpDfOPimdD5ihNYBxZY6Wkfp +V8cjzhCWftN9OYhodcIi7SdK9qXO1z+8X3WGIVY3SETUOy1HYVr2KirGSjwEIeheOvNK1sJ 0NT0EQMqyWMbEXt6fHCUyDYq4dKbq8ge+VbIXlvhFQpGhRAskOgTuRSDzra3GeLzM2Z6bRYa Dsgvav0ADQHEj/AP7aOlA1G8z44/HbnpPvZhALQzQ97hOVsD+u4LnmVzCFwxY3SVp0sPYf2F mAtza8yrSosvm9xBOZ/XTU9Y5qlNzozcYGLNCQi/ISNi7nhm+TFcRcsvy5zXMISdOUmRMXee r30lMd1gNImjTsl1SO0FnQMs/boXATAjHZuAalaDDY0LHErXoBerZ8bMRiA1XkAgMbza9BOO gg5RPni7NHSRzHhyjz/N7OSlVjkVe1u2MrlaoJg2VYSpZ2Us4ZkWUzxjIjLH47JlON1Kk3VO 11SM3M7vdfdl2XK3jfo2l02dSpGnA+BA2PTEQOstGcl2E+pgEz82IIgMgE2nsQ/pM0TJdJo+ zCL6RzjblLCssbd7h0CusNSda+TmbNXRXPOmSPJkmPLtBOB1vd75rspLkl7uCjf5IFiJM0hZ TaSVtd8XU/fkr/YPf+qKGjMiq9NVlVcQ6duv22vaIJy4EUbICbQhGrWRQpj9aqpekZD4nSR+ uzUagmccPeEQ==

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHYm6tQOqkwxP1MXkWBPUBpFSB52q2GJQcA

Thread-topic: [PATCH] x86: Expose more MSR_ARCH_CAPS to hwdom

On 19/07/2022 21:08, Jason Andryuk wrote: > commit e46474278a0e ("x86/intel: Expose MSR_ARCH_CAPS to dom0") started > exposing MSR_ARCH_CAPS to dom0. More bits in MSR_ARCH_CAPS have since > been defined, but they haven't been exposed. Update the list to allow > them through. > > As one example, this allows a linux Dom0 to know that it has the > appropriate microcode via FB_CLEAR. Notably, and with the updated > microcode, this changes dom0's > /sys/devices/system/cpu/vulnerabilities/mmio_stale_data changes from: > "Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state > unknown" > to: > "Mitigation: Clear CPU buffers; SMT Host state unknown" > > This ecposes the MMIO Stale Data and Intel Branch History Injection > (BHI) controls as well as the page size change MCE issue bit. > > Fixes: commit 2ebe8fe9b7e0 ("x86/spec-ctrl: Enumeration for MMIO Stale Data > controls") > Fixes: commit cea9ae062295 ("x86/spec-ctrl: Enumeration for new Intel BHI > controls") > Fixes: commit 59e89cdabc71 ("x86/vtx: Disable executable EPT superpages to > work around CVE-2018-12207") > > Signed-off-by: Jason Andryuk <jandryuk@xxxxxxxxx> > --- > This is the broader replacement for "x86: Add MMIO Stale Data arch_caps > to hardware domain". > > It wasn't discussed previously, but ARCH_CAPS_IF_PSCHANGE_MC_NO is added > as well. I deliberately excluded IF_PSCHANGE_MC_NO because it wasn't relevant. But I suppose Linux is looking for it anyway? IF_PSCHANGE_MC_NO is the mouthful meaning "the frontend doesn't have a strop when it takes an assist finds that the iTLB mapping has changed". It's only interesting to hypervisors looking after an EPT guest, which means that it's only interesting to expose to HAP guests with nested virt. Except we disable mitigations for nested virt because there's a bug in the nHAP code which I didn't have time to figure out, and none of this is remotely security supported to start with. In principle, TAA_NO's visibility should be dependent on the visibility of RTM, but given this is all a pile of hacks anyway, I'm not sure how much I care at this point. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.